# Connect target AWS accounts
<a name="transform-vmware-connect-target-account"></a>

Configure your target AWS account connector for network migration, landing zone build, and server migration. This involves three steps: select your migration type, provide your MAP agreement details (if applicable), and set up the connector. These settings apply across all migration stages — network migration, landing zone, and server rehost.

## Step 1: Migration type selection
<a name="transform-vmware-cta-migration-type"></a>

Choose whether you are performing a single-account or multi-account migration:
+ **Single-account migration** – All workloads migrate to one target AWS account. The connector target account and the target account are the same.
+ **Multi-account migration** – Workloads migrate to different target accounts. The connector must be connected to the organization management account or a Delegated Administrator (DA) account registered for both AWS Application Migration Service (Application Migration Service) and CloudFormation StackSets.

## Step 2: MAP agreement
<a name="transform-vmware-cta-map-tag"></a>

If your migration is part of the **AWS Migration Acceleration Program (MAP 2.0)**, provide your Migration Portfolio Experience (MPE) ID — a 10-character code using uppercase letters and digits (for example, ABCDE12345). When you provide your MPE ID, the MAP tag is applied to all resources created across network migration, landing zone, and server rehost stages. The tag format is:
+ **Key:** `map-migrated` **Value:** `migMPE_ID`

You must apply MAP tags to receive MAP credit. For more information about MAP, see [AWS Migration Acceleration Program](https://aws.amazon.com/migration-acceleration-program/).

## Step 3: Connector configuration
<a name="transform-vmware-cta-connector"></a>

You use the target account connector to connect your migration job to the AWS environment where your workloads will reside after migration. Before you begin, verify that your target AWS account has the necessary permissions, quotas, and configurations to support your migrated infrastructure.

When you approve the connector request, you grant AWS Transform permissions to:
+ Manage Amazon S3 bucket operations (read/write) for VMware migration, along with access to AWS Migration Hub and AWS Application Migration Service (Application Migration Service). This includes permissions for the following items, all restricted to resources within the target account that are tagged with `CreatedBy:AWSTransform` or `CreatedFor:AWSTransform`:
  + Manage migration waves.
  + Manage network configurations (Amazon EC2, VPC, Transit Gateway, Direct Connect, Load Balancers, Network Firewall).
  + Manage CloudFormation stack deployments.
  + Perform automated agent installations through Systems Manager.
+ Migrate your on-premises workloads to the target AWS account and Region by using the information stored in the discovery Region.
+ Provision and manage landing zone infrastructure in the target AWS account and Region. This includes permissions for the following items, restricted to resources that are tagged with `CreatedBy:AWSTransform` where applicable:
  + Perform Amazon S3 bucket operations (create, read, write, delete) for buckets that start with `transform-vmware-landing-zone-`.
  + Manage CloudFormation stack deployments and change sets for landing zone stacks.
  + Perform AWS Control Tower operations. You can manage landing zones, enable baselines, and enable controls.
  + Manage AWS Organizations. You can create and manage organizational units, create accounts, and move accounts.
  + Manage service control policies (SCPs) through AWS Control Tower.
  + Manage AWS Service Catalog provisioning artifacts.

**Note**  
Connector types might be updated when new features require permission changes. The current version for the target account connector type is 2.0. When you create a new connector, it uses the latest version.

Before you set up the connector, understand the account roles involved in your migration:


| Account | Description | 
| --- | --- | 
| AWS Transform account | Any member account in your AWS Organization where you set up AWS Transform. This is where your AWS Transform workspace runs. It does not need to be the management account. | 
| Connector target account | The account your AWS Transform connector is configured to. This depends on your migration type: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/transform/latest/userguide/transform-vmware-connect-target-account.html)  | 
| Target account | The AWS account where your workloads are migrated to. In a single-account migration, this is the same as the connector target account. In a multi-account migration, these are the individual member accounts receiving the migrated workloads. | 

### Using a delegated administrator account
<a name="transform-vmware-cta-delegated-admin"></a>

For multi-account migrations, AWS recommends that you use a Delegated Administrator (DA) account rather than the organization management account directly. A DA account follows the principle of least privilege by limiting the scope of permissions required for migration operations. The DA account must be registered as delegated administrator for both Application Migration Service and CloudFormation StackSets in your AWS Organization.

The key difference between the two options is:
+ **Management account** – Can enable trusted access for Application Migration Service and CloudFormation StackSets across the organization. AWS Transform calls CloudFormation StackSets APIs with `CallAs: SELF`.
+ **Delegated Administrator account** – Cannot enable trusted access directly (that must be done from the management account), but can manage Application Migration Service source servers, launch instances, and deploy CloudFormation StackSets across member accounts. AWS Transform calls CloudFormation StackSets APIs with `CallAs: DELEGATED_ADMIN`.

For more information, see [Delegated administrator for Application Migration Service](https://docs.aws.amazon.com/mgn/latest/ug/mgn-delegated-admin.html) in the *Application Migration Service User Guide*.

### IAM roles created during setup
<a name="transform-vmware-cta-iam-roles"></a>

During migration setup, a CloudFormation StackSet (`MGNMultiAccountRoles`) is deployed to create the required IAM roles across your target accounts. These roles grant the permissions that AWS Transform needs to replicate servers, launch instances, and install agents in each target account. The following roles are created:
+ `AWSApplicationMigrationConnectorManagementRole` – Used during agent installation to access source server credentials from AWS Secrets Manager.
+ `AWSApplicationMigrationConnectorSharingRole_<ACCOUNT-ID>` – Contains permissions for agent installation across accounts.
+ Application Migration Service service roles – Created automatically during Application Migration Service initialization in each target account. These include roles for replication and launch operations, and cross-account roles for multi-account migrations.

**Note**  
IAM roles are created only if they don't already exist in the account. If they already exist, the setup process doesn't create them again.

### Target account connector setup
<a name="transform-vmware-cta-connector-setup"></a>

**Important**  
During connector setup, an Amazon S3 bucket is created in your target AWS account. This bucket won't enforce HTTPS-only access (`SecureTransport`) by default. If you want the bucket policy to include secure transport, you must update the policy yourself. For more information, see [Security best practices for Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html).

**To use an existing target account connector**

1. In the **Job Plan** pane, expand **Choose target account**, and then choose **Create or select connectors**.

1. In the **Collaboration** tab, select an existing connector and then choose **Use connector**. If a connector is unavailable, its version isn't compatible with the job type you selected.
**Important**  
If you specify a connector with a target AWS Region that is different from the AWS Transform Region, AWS Transform will transfer your data across AWS Regions.

1. Choose **Continue**.

**To create a new connector**

1. In the **Job Plan** pane, expand **Connect target account**, and then choose **Create or select connectors**.

1. Specify the AWS account and AWS Region for your target, and then choose **Next**.
**Important**  
If the target AWS Region differs from the discovery AWS Region, AWS Transform will transfer your data across AWS Regions.

1. Choose whether to use Amazon S3 managed keys for encryption. If you specify your own KMS key, you can use the default key policy or a less permissive one. For information about creating a KMS key, see [Create a KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html) in the *AWS Key Management Service Developer Guide*.

   AWS Transform uses the `kms:DescribeKey` permission to verify the key exists, and `kms:GenerateDataKey` and `kms:Decrypt` to encrypt and decrypt job data in the Amazon S3 bucket. For more information, see [Reducing the cost of SSE-KMS with Amazon S3 Bucket Keys](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html).

1. Choose **Continue**.

1. Copy the verification link, share it with an administrator of the target AWS account, and ask them to approve the connection request.

1. After the administrator approves the request, select the newly created connector from the list and choose **Use connector**.

1. Choose **Send to AWS Transform**.

If you plan to modify the AWS Application Migration Service template to enable post-launch actions, add the following permission to the target connector role. This JSON policy statement grants the `iam:PassRole` permission for the post-launch actions role. You can find the role name in the **Collaboration** tab after the connector is created. For information about adding permissions to a role, see [Update permissions for a role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_update-role-permissions.html) in the *IAM User Guide*.

```
{
      "Sid": "MGNPostLaunchActions",
      "Effect": "Allow",
      "Action": [
        "iam:PassRole"
      ],
      "Resource": "arn:aws:iam::target-account-ID:role/service-role/AWSApplicationMigrationLaunchInstanceWithSsmRole"
}
```

### Supported target regions
<a name="transform-vmware-cta-supported-regions"></a>

When you create the connector, specify a target AWS Region. You can use any of the following AWS Regions:
+ US East (N. Virginia)
+ US East (Ohio)
+ US West (Oregon)
+ Asia Pacific (Mumbai)
+ Asia Pacific (Tokyo)
+ Asia Pacific (Seoul)
+ Asia Pacific (Osaka)
+ Asia Pacific (Singapore)
+ Asia Pacific (Sydney)
+ Canada (Central)
+ Europe (Frankfurt)
+ Europe (Ireland)
+ Europe (London)
+ Europe (Paris)
+ Europe (Stockholm)
+ South America (São Paulo)

**Important**  
If you specify a target AWS Region that differs from the AWS Transform AWS Region, your data is transferred across AWS Regions.

**Note**  
If you plan to run a job that includes only server migration (without network migration), additional commercial AWS Regions are available as target Regions. These Regions include US West (N. California), Europe (Milan), Asia Pacific (Jakarta), Europe (Zurich), Europe (Spain), Asia Pacific (Hyderabad), Asia Pacific (Melbourne), Middle East (Tel Aviv), Asia Pacific (Bangkok), Asia Pacific (Kuala Lumpur), Middle East (Bahrain), Africa (Cape Town), Asia Pacific (Hong Kong), and Middle East (UAE).  
To use one of these additional Regions before Q3 2026, contact your AWS account team to request access. After Q3 2026, these Regions will be generally available without an access request.